Is there a way to tell how long a machine has been in an security group?

windows active-directory powershell group-policy

Machines get added to a security group to prevent them from getting a GPO. I'd like the machines to get removed after 30 days of being in the group. Ideally, I'd like to also be able to generate a report on the machines in the group.

Something like:

MachineA - 10 Days left

MachineB - 29 Days left


Solution 1:

Provided you have a Windows 2012 Domain controller, yes!

Where can we find group membership details?

When you look into the member attribute of an AD group you’ll find a list of all members in distinguished name format. But that’s it. There is no smoking gun or finger prints that tell you how they got there. However, there is a little-known piece of data called replication metadata that can tell us exactly what we need. This data is quite special for groups, because it shows us the date individual members were added and removed. Awesome! But if you try to view it in the GUI it looks like ugly hex.

[...]

The Script

Here is the PowerShell goodness we’ve been awaiting (also attached at the bottom of the post):

Import-Module ActiveDirectory            

$username = "janitor"            
$userobj  = Get-ADUser $username            

Get-ADUser $userobj.DistinguishedName -Properties memberOf |            
 Select-Object -ExpandProperty memberOf |            
 ForEach-Object {            
    Get-ADReplicationAttributeMetadata $_ -Server localhost -ShowAllLinkedValues |             
      Where-Object {$_.AttributeName -eq 'member' -and             
      $_.AttributeValue -eq $userobj.DistinguishedName} |            
      Select-Object FirstOriginatingCreateTime, Object, AttributeValue            
    } | Sort-Object FirstOriginatingCreateTime -Descending | Out-GridView

enter image description here

Solution 2:

The only thing I can think of to solve this is a trick where you use an intermediate group as a dynamic object and then nest that into the primary group so that the user has the permissions conferred to the primary group by way of nested group membership, however, the intermediate group has a TTL (time to live, the entry-TTL attribute) and when that TTL expires, the group will disappear and thus the nested group membership will vanish. Name the temporary group something like "MachineA 30 Day Temporary" or something.

This is referred to as "Dynamic Objects."

Related

How do I resolve this locale issue?
Why are many mail servers using subdomains like mail.example.com?
AWS EC2 snapshots - how long should they be retained? [closed]
Why is my VM disc file more than 2x bigger then the actual FS?
repository for python3-devel on CentOS 7? [closed]
Running All Microsoft products vs VMWare/backup/AV for small network
How to block TeamViewer?
Can I safely remove all mail services from CentOS?
How to silent a systemd service?
apache mod_substitute works in curl but not on browser
Fast pinging without requiring the response [closed]
Windows 10 Optional Feature Optical Character Recognition Install Failed